Nauticus Simplifies Load Balancing
Its N2000 uses virtual switching to provide consolidation.
July 1, 2003
N2000 configuration is a familiar process to those who use Cisco's IOS CLI (command-line interface). If you want a sexy UI, you won't be disappointed by the elegant, Flash-enhanced Web configuration option, complete with real-time statistical graphing.
The big drawback for those interested in gigabit connectivity is the use of small GBICs.
Nauticus N2000click to enlarge |
I needed to use FC-to-SC converters to connect to Spirent's WebAvalanche and WebReflector in our Green Bay, Wis., Real-World Labs®. I needed to do the same when connecting to Extreme Network's Summit7i--a necessity for including our Synthetic Network's gigabit copper-connected NetPressure clients for testing. The Nauticus processors cannot handle tristate interfaces, and, unfortunately, Nauticus chose 10/100 instead of a single-state gigabit copper interface, which the processors could support.
The most difficult part of configuration is adjusting to the device's virtual switching technology. The virtual switch (vSwitch) is like a VLAN for Layer 3 and above. It has its own memory and a user-configurable percentage of the processor. A vSwitch's routing tables (vRouter) and services are not accessible by other vSwitches; they are completely self-contained. Although it is possible to purchase an N2000 without this feature and use it as a strict Layer 4 server load-balancing device, the real power of the N2000 is in its virtualization and TCP termination capabilities.
Load BalancingI tested a beta version of the N2000 at strict Layer 4, advanced Layer 4, Layer 7 and finally SSL. Strict layer 4 load balancing does not take advantage of the TideRunner chipset and therefore does not do TCP termination. It allows only for a weighted hash algorithm to be used for load balancing and is used when speed is a necessity and all machines in the pool are equivalent. Sessions are passed through to the appropriate server (chosen by a weighted hash algorithm) and bound directly to that server.
Strict Layer 4 testing under the maximum load we could dish out with our Avalanche-Reflector combination showed TCP session latency of less than 1 ms, with HTTP latency climbing no higher than 25 ms under a load of 27,000 HTTP transactions per second, distributed over four back-end Web servers simulated by the WebReflector. Because the N2000 uses a half-NAT (Network Address Translation) scheme, a virtual service and its supporting back-end servers must be on different subnets. This also means that the N2000 does not support DSR (direct server return). Given the high-volume backplane, this should not be the concern it might be with lower-capacity load balancers. Throughput averages of 750 Mbps were not a problem, and the N2000 appeared limited only by our test equipment.
With advanced Layer 4 testing you can use more varied algorithms because sessions are passed through the TideRunner chip. Running the same tests with a round-robin algorithm showed no increase in TCP session latency, with HTTP latency peaking at 60 ms to 70 ms.
Rules and Routing
The N2000 lets you create content-matching rules, which can be used by any forwarding policy, meaning rules can be configured on virtually any portion of the URI as well as almost all HTTP headers.
Also unique to the N2000 is the ability to create rules based on HTTP responses as well as HTTP requests. I configured two policies, one to match on JPEG images and the other a default wildcard-based rule. Matching is case sensitive, so it's necessary to consider all possible cases that could make rules grow unwieldy. Policies make use of rules and assign positive matches of a rule to a group of real servers. Rules are not strictly bound to groups or individual servers, as they are with other Layer 7 devices; they are instead used by policies to make routing decisions. Running the same test on Layer 7 that I had run on Layer 4, TCP latency was still less than 1 ms, but as expected, HTTP latency increased, peaking at 1,000 ms and averaging 500 ms to 600 ms overall under heavy load.
Speed
SSL acceleration is provided using two different integrated chipsets: one for bulk encryption, the other for the handshaking process. Changing the virtual service from HTTP to HTTPS requires only the generation (or installation) of a certificate and changing the service of the port and the service type. The Avalanche managed to churn out 1,600 SSL sessions per second and the N2000 handled it without breaking a sweat.
The potential for creative network design with virtual switching is limitless. You can consolidate load balancers or use a single N2000 to support a tiered Web infrastructure. Four virtual switches can be supported, and each can be managed as a separate entity with user authentication and authorization provided internally or via TACACS+ (LDAP or RADIUS will be provided in a future release). Pricing is flexible, depending on functionality.
Lori MacVittie is a Network Computing technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].Post a comment or question on this story.
You May Also Like